if (1)
• 'Microsoft.Cache/redisEnterprise/encryption.customerManagedKeyEncryption' (ref)
{
"displayName": "Azure Cache for Redis Enterprise should use customer-managed keys for encrypting disk data",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Use customer-managed keys (CMK) to manage the encryption at rest of your on-disk data. By default, customer data is encrypted with platform-managed keys (PMK), but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/RedisCMK.",
"metadata": {
"category": "Cache",
"version": "1.0.0"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Cache/redisEnterprise"
},
{
"field": "Microsoft.Cache/redisEnterprise/encryption.customerManagedKeyEncryption",
"exists": "false"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}{"displayName":"Azure Cache for Redis Enterprise should use customer-managed keys for encrypting disk data","policyType":"BuiltIn","mode":"Indexed","description":"Use customer-managed keys (CMK) to manage the encryption at rest of your on-disk data. By default,customer data is encrypted with platform-managed keys (PMK),but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle,including rotation and management. Learn more at https://aka.ms/RedisCMK.","metadata":{"category":"Cache","version":"1.0.0"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Cache/redisEnterprise"},{"field":"Microsoft.Cache/redisEnterprise/encryption.customerManagedKeyEncryption","exists":"false"}]},"then":{"effect":"[parameters('effect')]"}}}thenExistenceCondition (1)
• 'Microsoft.Cache/redisEnterprise/privateEndpointConnections/privateLinkServiceConnectionState.status' (ref)
{
"displayName": "Azure Cache for Redis Enterprise should use private link",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis Enterprise instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link.",
"metadata": {
"version": "1.0.0",
"category": "Cache"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Cache/redisEnterprise"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Cache/redisEnterprise/privateEndpointConnections",
"existenceCondition": {
"field": "Microsoft.Cache/redisEnterprise/privateEndpointConnections/privateLinkServiceConnectionState.status",
"equals": "Approved"
}
}
}
}
}{"displayName":"Azure Cache for Redis Enterprise should use private link","policyType":"BuiltIn","mode":"Indexed","description":"Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis Enterprise instances,data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link.","metadata":{"version":"1.0.0","category":"Cache"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Cache/redisEnterprise"},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.Cache/redisEnterprise/privateEndpointConnections","existenceCondition":{"field":"Microsoft.Cache/redisEnterprise/privateEndpointConnections/privateLinkServiceConnectionState.status","equals":"Approved"}}}}}thenExistenceCondition (1)
• 'Microsoft.Cache/redisEnterprise/privateEndpointConnections/privateLinkServiceConnectionState.status' (ref)
if (1)
• 'microsoft.cache/redisenterprise'
thenDeployment (2)
• 'Microsoft.Network/privateEndpoints'
• 'Microsoft.Resources/deployments'
{
"displayName": "Configure Azure Cache for Redis Enterprise with private endpoints",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis Enterprise resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint.",
"metadata": {
"category": "Cache",
"version": "1.1.0"
},
"parameters": {
"privateEndpointSubnetId": {
"type": "String",
"metadata": {
"displayName": "privateEndpointSubnetId",
"description": "A subnet in the selected subscription/virtual network in which the private endpoint is configured",
"strongType": "Microsoft.Network/virtualNetworks/subnets"
}
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Cache/redisEnterprise"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Cache/redisEnterprise/privateEndpointConnections",
"evaluationDelay": "AfterProvisioning",
"existenceCondition": {
"field": "Microsoft.Cache/redisEnterprise/privateEndpointConnections/privateLinkServiceConnectionState.status",
"equals": "Approved"
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"properties": {
"mode": "incremental",
"parameters": {
"name": {
"value": "[field('name')]"
},
"serviceId": {
"value": "[field('id')]"
},
"privateEndpointSubnetId": {
"value": "[parameters('privateEndpointSubnetId')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string"
},
"serviceId": {
"type": "string"
},
"privateEndpointSubnetId": {
"type": "string"
}
},
"variables": {
"privateEndpointName": "[concat('pe-m-',substring(parameters('name'),0,min(length(parameters('name')),47)),'-',uniquestring(deployment().name))]"
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"name": "[variables('privateEndpointName')]",
"apiVersion": "2020-06-01",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serviceId": {
"type": "string"
},
"privateEndpointSubnetId": {
"type": "string"
},
"subnetLocation": {
"type": "string"
}
},
"variables": {
"privateEndpointName": "[deployment().name]"
},
"resources": [
{
"name": "[variables('privateEndpointName')]",
"type": "Microsoft.Network/privateEndpoints",
"apiVersion": "2020-07-01",
"location": "[parameters('subnetLocation')]",
"tags": {},
"properties": {
"subnet": {
"id": "[parameters('privateEndpointSubnetId')]"
},
"privateLinkServiceConnections": [
{
"name": "[variables('privateEndpointName')]",
"properties": {
"privateLinkServiceId": "[parameters('serviceId')]",
"groupIds": [
"redisEnterprise"
],
"requestMessage": "autoapprove"
}
}
],
"manualPrivateLinkServiceConnections": []
}
}
]
},
"parameters": {
"serviceId": {
"value": "[parameters('serviceId')]"
},
"privateEndpointSubnetId": {
"value": "[parameters('privateEndpointSubnetId')]"
},
"subnetLocation": {
"value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
}
}
}
}
]
}
}
}
}
}
}
}{"displayName":"Configure Azure Cache for Redis Enterprise with private endpoints","policyType":"BuiltIn","mode":"Indexed","description":"Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis Enterprise resources,you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint.","metadata":{"category":"Cache","version":"1.1.0"},"parameters":{"privateEndpointSubnetId":{"type":"String","metadata":{"displayName":"privateEndpointSubnetId","description":"A subnet in the selected subscription/virtual network in which the private endpoint is configured","strongType":"Microsoft.Network/virtualNetworks/subnets"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Cache/redisEnterprise"},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.Cache/redisEnterprise/privateEndpointConnections","evaluationDelay":"AfterProvisioning","existenceCondition":{"field":"Microsoft.Cache/redisEnterprise/privateEndpointConnections/privateLinkServiceConnectionState.status","equals":"Approved"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"name":{"value":"[field('name')]"},"serviceId":{"value":"[field('id')]"},"privateEndpointSubnetId":{"value":"[parameters('privateEndpointSubnetId')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"name":{"type":"string"},"serviceId":{"type":"string"},"privateEndpointSubnetId":{"type":"string"}},"variables":{"privateEndpointName":"[concat('pe-m-',substring(parameters('name'),0,min(length(parameters('name')),47)),'-',uniquestring(deployment().name))]"},"resources":[{"type":"Microsoft.Resources/deployments","name":"[variables('privateEndpointName')]","apiVersion":"2020-06-01","properties":{"mode":"Incremental","expressionEvaluationOptions":{"scope":"inner"},"template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serviceId":{"type":"string"},"privateEndpointSubnetId":{"type":"string"},"subnetLocation":{"type":"string"}},"variables":{"privateEndpointName":"[deployment().name]"},"resources":[{"name":"[variables('privateEndpointName')]","type":"Microsoft.Network/privateEndpoints","apiVersion":"2020-07-01","location":"[parameters('subnetLocation')]","tags":{},"properties":{"subnet":{"id":"[parameters('privateEndpointSubnetId')]"},"privateLinkServiceConnections":[{"name":"[variables('privateEndpointName')]","properties":{"privateLinkServiceId":"[parameters('serviceId')]","groupIds":["redisEnterprise"],"requestMessage":"autoapprove"}}],"manualPrivateLinkServiceConnections":[]}}]},"parameters":{"serviceId":{"value":"[parameters('serviceId')]"},"privateEndpointSubnetId":{"value":"[parameters('privateEndpointSubnetId')]"},"subnetLocation":{"value":"[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"}}}}]}}}}}}}Used in 1 Policy Set(s):
• [Preview]: Resources should be Zone Resilient (130fb88f-0fc9-4678-bfe1-31022d71c7d5) [Resilience] BuiltIn
if (1)
• 'Microsoft.Cache/redisEnterprise/zones[*]' (ref)
{
"displayName": "[Preview]: Azure Cache for Redis Enterprise & Flash should be Zone Redundant",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Azure Cache for Redis Enterprise & Flash can be configured to be Zone Redundant or not. Azure Cache for Redis Enterprise & Flash instances with fewer than 3 entries in their zones array are not Zone Redundant. This policy identifies Azure Cache for Redis Enterprise & Flash instances lacking the redundancy needed to withstand a zone outage.",
"metadata": {
"category": "Resilience",
"version": "1.0.0-preview",
"preview": true
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "This parameter lets you choose the effect of the policy. If you choose Audit (default), the policy will only audit resources for compliance. If you choose Deny, the policy will deny the creation of non-compliant resources. If you choose Disabled, the policy will not enforce compliance (useful, for example, as a second assignment to ignore a subset of non-compliant resources in a single resource group)."
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Cache/redisEnterprise"
},
{
"count": {
"field": "Microsoft.Cache/redisEnterprise/zones[*]"
},
"less": 3
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}{"displayName":"[Preview]: Azure Cache for Redis Enterprise & Flash should be Zone Redundant","policyType":"BuiltIn","mode":"Indexed","description":"Azure Cache for Redis Enterprise & Flash can be configured to be Zone Redundant or not. Azure Cache for Redis Enterprise & Flash instances with fewer than 3 entries in their zones array are not Zone Redundant. This policy identifies Azure Cache for Redis Enterprise & Flash instances lacking the redundancy needed to withstand a zone outage.","metadata":{"category":"Resilience","version":"1.0.0-preview","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"This parameter lets you choose the effect of the policy. If you choose Audit (default),the policy will only audit resources for compliance. If you choose Deny,the policy will deny the creation of non-compliant resources. If you choose Disabled,the policy will not enforce compliance (useful,for example,as a second assignment to ignore a subset of non-compliant resources in a single resource group)."},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Cache/redisEnterprise"},{"count":{"field":"Microsoft.Cache/redisEnterprise/zones[*]"},"less":3}]},"then":{"effect":"[parameters('effect')]"}}}